On 12/10/16 14:46, Konstantinos Tsimaris wrote:
> I have seen various posts mentioning that after 1 of January 2017, browsers
> will stop support of SHA1 signed CAs. I am looking into a way to identify
> which WEB sites will not work until new certificate is applied and
> demonstrate that after change it will work. I know that can be done via
> checking the issued CA. Is there a way using a Firefox to replicate the
> behavior/block prior to that date?
> Second, I would like to ask if a user has option to permit if required, for
> example using "security.pki.sha1_enforcement_level"
That preference is exactly how you test the behaviour prior to the date
the block is implemented. Set the value to 1 (entirely forbidden) or 3
(forbidden for public roots).
Users will be able to permit SHA-1 individually after the block is
enacted by default, using that pref. Also, the current plan is that the
error will be overridable. However, we would counsel all sites to move
away from SHA-1 as the user experience will be as bad as the security.
dev-security-policy mailing list